News Feature | February 25, 2014

$6.8 Million HIPAA Fine Levied

Source: Health IT Outcomes
Christine Kern

By Christine Kern, contributing writer

HIPAA Fine Levied

San Juan firm faces $6.8 million in HIPAA penalties for improperly handling the medical records of some 70,000 individuals

While Federal HIPAA violation penalties are limited to $1.5 million per incident per year, additional state and regional fines may be assessed for those disregarding privacy and security laws, a fact that Triple-S Management Corp, a San Juan-based insurance holding company, discovered first hand.

Triple S Salud was recently assessed with a record $6.8 million in penalties for improperly handling the medical records of some 70,000 individuals, according to HHS data and a Caribbean Business report.  

Triple-S Salud reportedly mailed letters to its Medicare Advantage patients with the Medicare numbers visible from the outside, a clear violation of HIPAA regulations. The mailing error affected approximately 13,000 beneficiaries resulting in a fine higher than any HIPAA-related penalty to date.

Healthcare IT News reports Puerto Rico's Health Insurance Administration issued the fines, based on a breach that occurred September of last year. According to HHS data, this is the second big HIPAA breach for Triple-S, which currently handles the benefits for some 2.2 million people. The Federal HIPAA regulations require notification of breaches to affected individuals within 60 days of discovery. 

According to Gov info Security, Ricardo Rivera Cardona, the top official at the Puerto Rican government agency that issued the HIPAA fine, further sanctions could be forthcoming for other organizations that fail to safeguard individuals' protected health information. He noted that the Puerto Rico Health Insurance Administration, a government insurance office that's also called by its Spanish language acronym "ASES," is investigating two other HIPAA-related cases.

The investigations signal a crackdown on violation of personal data by healthcare providers and insurers. He stated, "We are sending a message that we are here to enforce. There are no exceptions, no matter how big or small an institution is. ASES will make sure patients have access to medical services, and that their patient information is also protected. We are adamant about this."

The fines were disclosed in an 8-K document filed on Feb. 18 with the Securities and Exchange Commission by Triple-S Management Corp. The sanctions were a result of a 2013 breach involving 13,336 of the company's Dual Eligible Medicare beneficiaries. The Dual Eligible Medicare coverage is offered to older, low-income individuals who are eligible for Medicare and Medicaid.

In addition to the fines, the ASES sanctions against Triple S Salud include the suspension of all new enrollments of Dual Eligible Medicare beneficiaries and the obligation to notify affected individuals of their right to disenroll.

The filing states, "Triple S conducted an investigation and reported the incident to the appropriate Puerto Rico and federal government agencies. It then received and complied with requests for information from ASES concerning our Dual Eligible Medicare beneficiaries" affected by the breach. The company says followed protocol and issued a breach notification through the local media and notified all affected beneficiaries by mail. In addition, it is offering those affected 12 months of free credit monitoring and identity protection through an independent provider.

Since 2008, nearly 699,000 individuals have had their medical records breached by Puerto Rico HIPAA-covered entities and business individuals. Nationwide, some 29.3 million individuals have been affected by a HIPAA privacy or security breach.